[ REQ ] Who Can Find This Wordpress Hack ?!

***Leddie Malik*** · (This post was last modified: 11-13-2015 08:35 AM by Leddie Malik.)

Somebody have hacked a wordpress site :)
he hacked only index.php
[Image: Capture.png]

I Found The F****** Kid :D https://www.facebook.com/bikashpoudel66

Hitface

on the index.php was this code

Quote:<embed src="http://www.youtube.com/v/9dDZaMP5Q-c&feature=related&autoplay=1" type="application/x-shockwave-flash" wmode="transparent" width="1" height="1"></embed>
</object>
<head>
<link href=' http://font s.googleap is.com /css?famil y=Averia+ Sans+Libre'
rel='stylesheet'
type='text/css'>
<link href=' http://font s.googleap is.com /css?famil y=Orbitron :700' rel='stylesheet'
type='text/css'>
<title>Hacked by craXer bikash</title>
<link rel="shortcut icon"
href=" http://www .johnnyaus tin.com /images /projects /Skull.png"/>
<meta content='Hacked by craXer bikash' name='description'/>
<meta content='Hacked by craXer bikash' name='keywords'/>
<meta content='Hacked by craXer bikash' name='Author'/>
<script type="text/javascript">
//<![CDATA[
window.__CF=window.__CF||{};window.__CF.AJS={"ga_key":{"ua":"UA-32813477-2","ga_bs":"2"}};
//]]>
</script>
<script type="text/javascript">
//<![CDATA[
try{if (!window.CloudFlare) { var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",mirage:{responsive:0,lazy:0},mirage2:0,oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/abv=4187755003/"},atok:"492b94778c476950de8289732b63f893",zone:" hack-db.co m",rocket:"0",apps:{"ga_key":{"ua":"UA-32813477-2","ga_bs":"2"}}}];var a=document.createElement("script"),b=document.getElementsByTagName("script")[0];a.async=!0;a.src="// ajax.cloud flare.com/ cdn- cgi/nexp /abv=1573 736665 /cloudflar e.min.js";b.parentNode.insertBefore(a,b);}}catch(e){};
//]]>
</script>
<script type="text/javascript">
//<![CDATA[
window.__CF=window.__CF||{};window.__CF.AJS={"ga_key":{"ua":"UA-32813477-2","ga_bs":"2"}};
//]]>
</script>
<script type="text/javascript">
//<![CDATA[
try{if (!window.CloudFlare) { var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",mirage:{responsive:0,lazy:0},mirage2:0,oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/abv=4187755003/"},atok:"f46943201db8357de4c15bac343d60b7",zone:" hack-db.co m",rocket:"0",apps:{"ga_key":{"ua":"UA-32813477-2","ga_bs":"2"}}}];var a=document.createElement("script"),b=document.getElementsByTagName("script")[0];a.async=!0;a.src="// ajax.cloud flare.com/ cdn- cgi/nexp /abv=1573 736665 /cloudflar e.min.js";b.parentNode.insertBefore(a,b);}}catch(e){};
//]]>
</script>
<SCRIPT language=JavaScript>

</SCRIPT>

<SCRIPT language=Javascript></SCRIPT>
<STYLE fprolloverstyle="">A:hover{TEXT-DECORATION:overline}TEXTAREA{background-color:transparent;border:none;FONT:14px Verdana,Arial,Helvetica,sans-serif;COLOR:#00ff00;}</STYLE>
<script type="text/javascript">/* CloudFlare analytics upgrade */
</script>
<script type="text/javascript">
/* <![CDATA[ */
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-32813477-2']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.g oogle- analytics.c om/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
(function(b){(function(a){"__CF"in b&and"DJS"in b.__CF?b.__CF.DJS.push(a):"addEventListener"in b?b.addEventListener("load",a,!1):b.attachEvent("onload",a)})(function(){"FB"in b&and"Event"in FB&and"subscribe"in FB.Event&and(FB.Event.subscribe("edge.create",function(a){_gaq.push(["_trackSocial","facebook","like",a])}),FB.Event.subscribe("edge.remove",function(a){_gaq.push(["_trackSocial","facebook","unlike",a])}),FB.Event.subscribe("message.send",function(a){_gaq.push(["_trackSocial","facebook","send",a])}));"twttr"in b&and"events"in twttr&and"bind"in twttr.events&&twttr.events.bind("tweet",function(a){if(a){var b;if(a.target&&a.target.nodeName=="IFRAME")a:{if(a=a.target.src){a=a.split("#")[0].match(/[^?=and]+=([^and]*)?/g);b=0;for(var c;c=a;++b)if(c.indexOf("url")===0){b=unescape(c.split("=")[1]);break a}}b=void 0}_gaq.push(["_trackSocial","twitter","tweet",b])}})})})(window);
/* ]]> */
</script>
</HEAD>
<center>
<BODY onload=type_text() onclick='noalert("XstreeTz Dot ID")' oncontextmenu='return false;' onkeydown='return false;'onmousedown='return
false;'>
<center><span style="font-family:'Orbitron', sans-serif;font-size:48px;color: white;text-shadow: 0 0 50px lime,10px 10px 50px lime,0 0 20px lime,0 0 50px lime;">
<p>Hacked by craXer bikash</p>
</span>
<STYLE type=text/css>BODY{background:url( https://fbc dn- sphotos- a-a.akamai hd.net />>>[[[Reported by Members as Spam Site]]]<<<- ak-ash3 /946900_5 590900941 34038_152 2481572_n. jpg) top no-repeat fixed;-webkit-background-size:cover;-moz-background-size:cover;-o-background-size:cover;background-size:cover;background-color:#000000;}</STYLE>
<br><br>
<P><BR></P>
<TABLE BORDER="0" cellpadding="0" CELLSPACING="0">
<TR>
<TD WIDTH="661" HEIGHT="461" BACKGROUND=" http://s2.p ostimage.o rg /oiwxx014 p /bttermina l.png" VALIGN="center"><br><br>
<H2 align=center><FONT face=Impact color=#ffffff></FONT><FONT face=Impact color=##FF0000></FONT></H2><FONT face=Impact color=#FFFFFF></FONT>
<FONT face=Impact color=#FFFFFF></FONT>
<FORM><FONT face=Impact color=#FF0000><TEXTAREA rows=22.5 cols=87></TEXTAREA>
</FONT></FORM></TD>
</TR>
</TABLE>
</center>
</BODY></HTML>
<script type="text/javascript">
writeContent(true);
</script>
<FONT face=System color=#FFFF00><center>Greetz :</center></font><br/>
<FONT face=System color=#00FF00><marquee>|| Anodox || arjun || </marquee></font><br/><br/>
<FONT face=System color=#FF0000><center>Special Thanks To:</center></font><br/>
<FONT face=System color=#00FF00><marquee>Anonymous Nepal ^_^ </marquee></font>
<font style="font-size: 4pt;" face="Courier New">
</font>
<center>
</center>
<script type="text/javascript" src="http://ahmad-rifai-
tools.goog lecode.com /files /salju- blog.ahma drifai.net.j s" /></script>
<script type="text/javascript" src="// http://www.blogg er.com/sta tic /v1/commo n /js/32874 80799-
csitail.js"></script>
<script type="text/javascript">BLOG_initCsi('classic_blogspot');</script>
<style type="text/css">.cakrahide {z-index: 1000;height: 15px;width: 280px;border: 2px solid #666666;background: #D11717
-moz-linear-gradient(top,#000,#D11717);background: -webkit-gradient(linear, left top, left bottom, from(#000), to(#D11717));border-radius: 12px;-moz-border-radius:
12px;-webkit-border-radius: 12px;-o-transition: all 1s ease-in-out;-moz-transition: all 1s ease-in-out;-webkit-transition: all 1s ease-in-out;padding: 5px 5px;margin:
15px auto;font: 8px Metamorphous;color: #FF0000;overflow: hidden;box-shadow: 0 1px 8px #000;-moz-box-shadow: 0 1px 8px #000;-webkit-box-shadow: 0 1px 8px
#000;}.cakrahide:hover {min-height: 270px;border: 2px solid #333333;background: #111;box-shadow: 0 1px 15px #000;-moz-box-shadow: 0 1px 15px #000;-webkit-box-shadow: 0
1px 15px #000;color: #000; text-shadow: 0 1px 1px #888;}.cakrahide h3, .isicakra h3 {font-size: 8px;font-family: Metamorphous;font-weight: bold;color:
#ffffff;text-align: center;text-shadow: 0px 1px 1px #fff; margin: 3px 5px;background: #000;border-radius: 5px;-moz-border-radius: 5px;-webkit-border-radius:
5px;border: 1px solid #999;-o-transition: all 1s ease-in-out;-moz-transition: all 1s ease-in-out;-webkit-transition: all 1s ease-in-out;}.tejahide h3:hover
{box-shadow: 0 1px 8px #000;-moz-box-shadow: 0 1px 8px #000;-webkit-box-shadow: 0 1px 8px #000;}.cakrahide img.mini, .cakrahide img.minianima {width: 70px;border: 4px
solid #666;padding: 3px;border-radius: 6px;-moz-border-radius: 6px;-webkit-border-radius: 6px;float: left; margin: 0 10px 5px 0;background: #222;-o-transition: all
1.5s;-moz-transition: all 1.5s;-webkit-transition: all 1.5s;}.cakrahide img.mini:hover, .cakrahide img.minianima:hover {box-shadow: 1px 1px 15px #000;-moz-box-shadow:
1px 1px 15px #000;-webkit-box-shadow: 1px 1px 15px #000;border: 4px solid #CCCCCC;background :#666;-o-transform: scale(1.4);-moz-transform:
scale(1.4);-webkit-transform: scale(1.4);margin-top: 20px;margin-left: 15px;}.tejahide img.minianima:hover {-o-transform: scale(1.4) rotate(360deg)
translate(0px);-moz-transform: scale(1.4) rotate(360deg) translate(0px);-webkit-transform: scale(1.4) rotate(360deg) translate(0px);}.isicakra {margin-top:
15px;height:225px;overflow: auto;padding: 0 5px;-o-transition: all 1s ease-in-out;-moz-transition: all 1s ease-in-out;-webkit-transition: all 1s ease-in-out;
background:#ddd -moz-linear-gradient(top,#ddd,#000);background:-webkit-gradient(linear, left top, left bottom, from(#ddd), to(#000));}.isicakra:hover {background:
#333;color: #eee;text-shadow: 0 0px 1px #fe0303;}.isicakra h3 {margin: 20px 0;max-width: 224px;margin-left:10px;background: #000;box-shadow: 0 1px 12px
#eee;-moz-box-shadow: 0 1px 12px #eee;-webkit-box-shadow: 0 1px 12px #eee;}.columns{clear:both;line-height:22px;padding:0 0
20px;width:250px}.colleft{float:left;line-height:22px;width:120px}.colright{float:right;line-height:22px;width:120px}.isicakra h3:hover {background: #888;border: 1px
solid #666;box-shadow: 0 1px 12px #fff;-moz-box-shadow: 0 1px 12px #fff;-webkit-box-shadow: 0 1px 12px #fff;}.isicakra ul {padding: 0;margin: 0;list-style:
none;}.isicakra li {padding: 0;margin: 0;list-style: none;border-bottom:1px dotted #777;}.isicakra li a{color: #FF0000;padding: 0;margin:
0;text-decoration:none;font-size: 12px;-o-transition: all 1.5s;-moz-transition: all 1.5s;-webkit-transition: all 1.5s;}.isicakra li a:hover {-o-transform:
scale(1.1);-moz-transform: scale(1.1);-webkit-transform: scale(1.1);color: red;text-shadow: 0 1px 1px #000;margin-left: 20px;}.cakrahide {height: 17px; float:right
;margin-top:0px;z-index: 10000;position: fixed;top:0px;margin-left:690px;} .cakrahide h3, .isicakra {font-size: 11px;}</style>
<div class="cakrahide">
<div class="isicakra">
<div class="columns">
<div class="colleft">
<ul>
<li>
</ul>
</div>
<div class="colright">
<ul>
<li>
</ul>
</div>
</div>
</div>
</div>
</div>
<div class='clear'></div>
<span class='widget-item-control'>
<span class='item-control blog-admin'>
<a rel="nofollow" class='quickedit' href='// http://www.blogg er.com/rea rrange?bl ogID=8070 621132549 806712& widgetTyp e=HTML& widgetId= HTML1& action=edi tWidget& sectionId= sidebar5' onclick='return
_WidgetManager._PopupConfig(document.getElementById("HTML1"));' target='configHTML1' title='craXer bikash is everywhere'>

[b]Please Find the hacking Method :)
Thanks

***Malice*** · 11-13-2015, 10:41 AM

are you using any nulled themes or plugins that you didnt null yourself? Also, do you update all your plugins/wordpress/themes immediately?

I knew a hacker that had a setup where his computer would crawl thousands of websites looking for weaknesses. The moment a new exploitable weakness in a wordpress file came about he would add that to his system and hope to hit people before they updated.

Gray hat hacker, he did it for the rep and would notify the the victim to tell them how to better protect their website.

***xantor*** · (This post was last modified: 11-13-2015 12:49 PM by xantor.)

@Leddie Malik The html you posted is no good to determine how the hacker got to your site, it is probably some malware in one of your plugins or themes (most likely) or as Malice said he found and weakness in WP or a plugin (if you keep your wp updated, less likely).

My recommendation:

Make a db backup and a complete backup of your site
Erase all files
Install WP from wp.org (you can´t trust the installation you have)
Download a plugin that puts your site in maintenance mode so you are the only one that can access it
Install all the plugins that are free and the ones that you have bought from their original source.
Install Anti-Malware and Brute-Force Security by ELI and ithemes security (the free one, do not install pro from a DOWNLOAD site!!)
Install WP Snitch Plugin
Istall TAC Plugin

Here starts the tricky part You must check all your pluginz and themez for malicious code, the best and fastest way is to check the code for each one separately, the other way is to install each one, do a malware check with Antimalware and ithemes Security and check wp snitch to see if there your sites access strange urls, when you are certain that it is ok install the next one and repeat.
.
Restore your db backup and your media files (only)
Check again for malware and snitch for strange urls.
Reinstall a clean copy of your theme and check it with TAC
Check again for malware and snitch for strange urls.
Finish configuring your site, keep checking the snitch log for a couple of days for any strange url access.
You should have a clean site then.

Hope this helps.

***joel4u*** · 11-13-2015, 06:23 PM

Visit

http://www.blackdisability.org/

***bindass*** · 11-14-2015, 04:12 AM

Hi Bro,
Tray kali.. use the black Sparo or spy hunter.. you will find the ways he hack..

last knight i just fu....ed up this Nepali sheet craXer bikash.. My backdoor already on their bas...erd PC and VPS Happydance

... he used a VPS located in China.. they are 4 member of group.. one is indian 2 nepalis and one i think Chines.

I will fu..k......eddddd those 4 bus...terd..

***Leddie Malik*** · 11-14-2015, 05:46 AM

thank you brothers for your Help :)

***bindass*** · 11-14-2015, 06:57 AM

(11-14-2015 05:46 AM)Leddie Malik Wrote: thank you brothers for your Help :)

***dhanyasashi*** · 11-24-2015, 03:39 PM

craxer bikash is nubie bro.. refactored this your website for acces security permission wordpress.. and dont forget always update yo're wp

***skrilloki*** · 11-24-2015, 04:34 PM

best part saying we`re anonymous and giving out his real name
LEL Biggrin

***Leddie Malik*** · 11-25-2015, 10:06 AM

(11-24-2015 03:39 PM)dhanyasashi Wrote: craxer bikash is nubie bro.. refactored this your website for acces security permission wordpress.. and dont forget always update yo're wp

thankssmile Perfect 10

Bro :D you right :D